CISA Warns of Emotet Attacks on US state, local governments
July 2020 saw a drastic increase in the number of attacks by Emotet, a kind of malware originally designed as a banking Trojan and an information seeker aimed at stealing financial data, but over time has evolved to become a major threat to users everywhere.
Emotet, which originally appeared almost a decade ago, had been silent for a major part of half of the year (2020) before resuming activity in July; with attacks surging in the subsequent months that followed.
In an alert released by the U.S Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Centre (MS-ISAC), both warned that there had been an increase in cybercrimes since August which have targeted state and local governments with phishing emails meant to drop Emotet. The alert further stated that; “Emotet is difficult to combat because of its “worm-like” features that enable network-wide infections. Additionally, Emotet uses modular Dynamic Link Libraries to continuously evolve and update its capabilities,”
According to CISA, they have observed over 16,000 Emotet-related alerts since July; as-well-as Emotet-related traffic over ports 80, 8080, and 443. With one instance where an Emotet-related IP attempted to connect over port 445, suggesting the possible use of Server Message Block (SMB).
According to CISA observations in February and July 2020, Emotet attacks were initially via COVID-19-themed phishing to target victims in the United States and abroad. By August, there had been a change in tactics by the malware operators to improve efficiency and this led to increased attacks in the U.S; this was highlighted by the use of password-protected archives as attachments, to bypass email security gateways and security researchers noticed that hackers leveraged thread hijacking for the delivery of Emotet.
By September, Emotet started malware dropping Trickbot to deliver ransomware in some cases, or Qakbot to steal banking credentials and other information from victims and this led to a worldwide surge.
The alert by CISA and MS-ISAC also provided a list of attack techniques that Emotet employs, alongside Snort signatures to help with detection, and recommendations to network defenders on how to improve security posture (regardless of the level of government and sector).
Reference
https://us-cert.cisa.gov/ncas/alerts/aa20-280a
Contact Us
Learn more about what Techcess CyberSecurity Group can do for your business.
1-833-TXCYBER
1-833-892-9237
Techcess CyberSecurity Group
6110 Clarkson Lane
Houston, Texas 77055
Techcess CyberSecurity Group
Houston, Texas 77055